Explicit cluster roles for controller/webhook, not cluster-admin

[vaikas]

Fixes #749

Proposed Changes

• Create a service account for running webhook (eventing-webhook)
• create 2 new cluster roles: knative-eventing-webhook, knative-eventing-controller
• create 2 clusterrole bindings

Release Note

 * webhook now runs as: eventing-webhook service account
 * controller now runs as eventing-controller service account
 * controller and webhook run with less priviledges (was using cluster-admin) 

[Harwayne]

My preference would be to put these into the previous list, so that after each foo, we then have foo/status. I think that will make it easier to see when one has been forgotten.

[grantr]

Thanks so much for doing this @vaikas-google! It's embarrassing that we've had cluster-admin for so long.

How did you come up with the list of permissions for the controller SA?

[grantr]

Does the controller really need write permissions on CRDs?

[Harwayne]

Do these permissions apply to CRDs or all the custom resources whose type is a CRD? If the former, why do we need any permissions on CRDs?

[vaikas]

left over cruft, removed.

[grantr]

I wonder if this is a candidate for a (namespaced) Role so the webhook doesn't have access to all secrets everywhere. Seems like maybe configmaps and deployments permissions could also be namespaced.

[vaikas]

ok to make this into a separate issue and tackle that in a followup?

[evankanderson]

+1 to a followup issue.

[evankanderson]

A few more comments, but thanks for doing this.

If you want the further refinements to go into another PR, feel free to open an issue; this is already a definite improvement.

/hold
/lgtm

[evankanderson]

Do we need list/delete/watch on events? (Or create/update/patch for namespaces, secrets or serviceaccounts?)

May not be worth pulling out separately.

[evankanderson]

We merge the "foo" and "foo/status" on line 34. Do we want to do the same here?

[vaikas]

sure thing, done.

[evankanderson]

It's strange to have this apiGroup down here but virtualservices on line 30.

Maybe put in a comment # Resources we create as part of our side effects

[vaikas]

my bad :) moved...

[evankanderson]

Why do we need these permissions on rolebindings?

[vaikas]

these are needed for triggers.

[evankanderson]

Ah -- this is actually needed for the namespace Broker auto-provisioner. https://github.com/knative/eventing/blob/master/pkg/reconciler/v1alpha1/namespace/namespace.go#L264

I wonder if we want to extract the Broker auto-provisioner at some point in the future.

[evankanderson]

+1 to a followup issue.

[evankanderson]

/lgtm
/approve

[evankanderson]

Ah -- this is actually needed for the namespace Broker auto-provisioner. https://github.com/knative/eventing/blob/master/pkg/reconciler/v1alpha1/namespace/namespace.go#L264

I wonder if we want to extract the Broker auto-provisioner at some point in the future.

[knative-prow-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: evankanderson, vaikas-google

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [evankanderson,vaikas-google]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[evankanderson]

As long as this is titled "WIP", it won't merge. (FYI)

[Harwayne]

Rename to eventing-webook, or something similar as this is no longer granting admin.

Do a similar rename to eventing-controller-admin. This will mean that it won't update the existing RBAC on upgrade, if you consider that important.

[Harwayne]

We use create in the webhook?

[Harwayne]

/lgtm
/hold

Holding in case you want to change in response to my comments. If not, feel free to cancel the hold yourself.

[evankanderson]

/lgtm

[vaikas]

I've created:
#982
to audit the roles. I want to get this in as it's clearly an improvement and then we can improve in a follow up.